#1454 introduce host-admin permission + docs
Merged 2 years ago by mikem. Opened 3 years ago by tkopecek.
tkopecek/koji issue1453  into  master

file modified
+1
@@ -22,6 +22,7 @@ 

      :maxdepth: 2

  

      HOWTO

+     permissions

      defining_hub_policies

      external_repo_server_bootstrap

      image_build

@@ -0,0 +1,82 @@ 

+ =================

+ Permission system

+ =================

+ 

+ Basic privileges for koji are handled by ``permissions``. These are granted

+ and removed by ``admin`` user and allows other users to use different parts

+ of koji. There are some default permissions, but new ones can be created by

+ administrator and used in koji's :doc:`policies <defining_hub_policies>` or tag

+ locks.

+ 

+ Permission management

+ =====================

+ 

+ Admin user can use following koji CLI commands:

+ 

+   * ``koji grant-permission [--new] <permission> <user> [<user> ...]`` for

+     granting permission to one or more users. It can be also used to create

+     new permission class with ``--new``.

+   * ``koji revoke-permission <permission> <user> [<user> ...]`` for removing

+     such permission from users.

+   * ``koji list-permissions [--user <user>] [--mine]`` is self-descriptive.

+ 

+ Default permissions

+ ===================

+ 

+ Administration

+ --------------

+ 

+ ``admin``

+   Basic permission, which can be delegated to other users. This

+   is superadmin without any limitations, so grant with caution. Especially

+   services should use some limited form instead of this.

+ 

+ ``host``

+   Restricted permission for handling host-related management tasks.

+ 

+ ``tag``

+   Permission for adding/deleting/editing tags

+ 

+ ``target``

+   Permission for adding/deleting/editing targets

+ 

+ Tasks

+ -----

+ 

+ ``appliance``

+   appliance tasks (``koji spin-appliance``)

+ 

+ ``build``

+   currently unused

+ 

+ ``dist-repo``

+   distRepo tasks (``koji dist-repo``)

+ 

+ ``image``

+   image tasks (``koji image-build``)

+ 

+ ``livecd``

+   livecd tasks (``koji spin-livecd``)

+ 

+ ``repo``

+   newRepo tasks (``koji regen-repo``)

+ 

+ ``regen-repo``

+   same as ``repo`` for now

+ 

+ Data Import

+ -----------

+ ``image-import``

+   used for importing external maven artifacts

+   (``koji import-archive --type maven``)

+ 

+ ``maven-import``

+   used for importing external maven artifacts

+   (``koji import-archive --type maven``)

+ 

+ ``win-admin``

+   used in default policy for windows builds ('vm' channel)

+ 

+ ``win-import``

+   used for importing external maven artifacts

+   (``koji import-archive --type win``)

file modified
+26 -26
@@ -688,7 +688,7 @@ 

  

  def writeInheritanceData(tag_id, changes, clear=False):

      """Add or change inheritance data for a tag"""

-     context.session.assertPerm('admin')

+     context.session.assertPerm('tag')

      _writeInheritanceData(tag_id, changes, clear)

  

  
@@ -1638,7 +1638,7 @@ 

  def grplist_add(taginfo, grpinfo, block=False, force=False, **opts):

      """Add to (or update) group list for tag"""

      #only admins....

-     context.session.assertPerm('admin')

+     context.session.assertPerm('tag')

      _grplist_add(taginfo, grpinfo, block, force, **opts)

  

  
@@ -1696,7 +1696,7 @@ 

      Most of the time you really want to use the block or unblock functions

      """

      #only admins....

-     context.session.assertPerm('admin')

+     context.session.assertPerm('tag')

      _grplist_remove(taginfo, grpinfo, force)

  

  
@@ -1724,7 +1724,7 @@ 

      Otherwise, raise an error

      """

      # only admins...

-     context.session.assertPerm('admin')

+     context.session.assertPerm('tag')

      _grplist_unblock(taginfo, grpinfo)

  

  
@@ -1758,7 +1758,7 @@ 

  def grp_pkg_add(taginfo, grpinfo, pkg_name, block=False, force=False, **opts):

      """Add package to group for tag"""

      #only admins....

-     context.session.assertPerm('admin')

+     context.session.assertPerm('tag')

      _grp_pkg_add(taginfo, grpinfo, pkg_name, block, force, **opts)

  

  
@@ -1822,7 +1822,7 @@ 

      Most of the time you really want to use the block or unblock functions

      """

      #only admins....

-     context.session.assertPerm('admin')

+     context.session.assertPerm('tag')

      _grp_pkg_remove(taginfo, grpinfo, pkg_name, force)

  

  
@@ -1848,7 +1848,7 @@ 

      Otherwise, raise an error

      """

      # only admins...

-     context.session.assertPerm('admin')

+     context.session.assertPerm('tag')

      _grp_pkg_unblock(taginfo, grpinfo, pkg_name)

  

  
@@ -1881,7 +1881,7 @@ 

  def grp_req_add(taginfo, grpinfo, reqinfo, block=False, force=False, **opts):

      """Add group requirement to group for tag"""

      #only admins....

-     context.session.assertPerm('admin')

+     context.session.assertPerm('tag')

      _grp_req_add(taginfo, grpinfo, reqinfo, block, force, **opts)

  

  
@@ -1946,7 +1946,7 @@ 

      Most of the time you really want to use the block or unblock functions

      """

      #only admins....

-     context.session.assertPerm('admin')

+     context.session.assertPerm('tag')

      _grp_req_remove(taginfo, grpinfo, reqinfo, force)

  

  
@@ -1973,7 +1973,7 @@ 

      Otherwise, raise an error

      """

      # only admins...

-     context.session.assertPerm('admin')

+     context.session.assertPerm('tag')

      _grp_req_unblock(taginfo, grpinfo, reqinfo)

  

  
@@ -2108,7 +2108,7 @@ 

          return [x for x in groups if not x['blocked']]

  

  def set_host_enabled(hostname, enabled=True):

-     context.session.assertPerm('admin')

+     context.session.assertPerm('host')

      host = get_host(hostname)

      if not host:

          raise koji.GenericError('host does not exist: %s' % hostname)
@@ -2128,7 +2128,7 @@ 

  

      Channel must already exist unless create option is specified

      """

-     context.session.assertPerm('admin')

+     context.session.assertPerm('host')

      host = get_host(hostname)

      if host == None:

          raise koji.GenericError('host does not exist: %s' % hostname)
@@ -2146,7 +2146,7 @@ 

      insert.execute()

  

  def remove_host_from_channel(hostname, channel_name):

-     context.session.assertPerm('admin')

+     context.session.assertPerm('host')

      host = get_host(hostname)

      if host == None:

          raise koji.GenericError('host does not exist: %s' % hostname)
@@ -2797,7 +2797,7 @@ 

  def create_build_target(name, build_tag, dest_tag):

      """Create a new build target"""

  

-     context.session.assertPerm('admin')

+     context.session.assertPerm('target')

      return _create_build_target(name, build_tag, dest_tag)

  

  
@@ -2833,7 +2833,7 @@ 

  

  def edit_build_target(buildTargetInfo, name, build_tag, dest_tag):

      """Set the build_tag and dest_tag of an existing build_target to new values"""

-     context.session.assertPerm('admin')

+     context.session.assertPerm('target')

      _edit_build_target(buildTargetInfo, name, build_tag, dest_tag)

  

  
@@ -2885,7 +2885,7 @@ 

  def delete_build_target(buildTargetInfo):

      """Delete the build target with the given name.  If no build target

      exists, raise a GenericError."""

-     context.session.assertPerm('admin')

+     context.session.assertPerm('target')

      _delete_build_target(buildTargetInfo)

  

  
@@ -3051,7 +3051,7 @@ 

  

  def create_tag(name, parent=None, arches=None, perm=None, locked=False, maven_support=False, maven_include_all=False, extra=None):

      """Create a new tag"""

-     context.session.assertPerm('admin')

+     context.session.assertPerm('tag')

      return _create_tag(name, parent, arches, perm, locked, maven_support, maven_include_all, extra)

  

  
@@ -3206,7 +3206,7 @@ 

      :param list remove_extra: remove extra tag parameters.

      """

  

-     context.session.assertPerm('admin')

+     context.session.assertPerm('tag')

      _edit_tag(tagInfo, **kwargs)

  

  
@@ -3316,7 +3316,7 @@ 

  

  def delete_tag(tagInfo):

      """Delete the specified tag."""

-     context.session.assertPerm('admin')

+     context.session.assertPerm('tag')

      _delete_tag(tagInfo)

  

  
@@ -3469,7 +3469,7 @@ 

  def add_external_repo_to_tag(tag_info, repo_info, priority, merge_mode='koji'):

      """Add an external repo to a tag"""

  

-     context.session.assertPerm('admin')

+     context.session.assertPerm('tag')

  

      if merge_mode not in koji.REPO_MERGE_MODES:

          raise koji.GenericError('Invalid merge mode: %s' % merge_mode)
@@ -3496,7 +3496,7 @@ 

  def remove_external_repo_from_tag(tag_info, repo_info):

      """Remove an external repo from a tag"""

  

-     context.session.assertPerm('admin')

+     context.session.assertPerm('tag')

  

      tag = get_tag(tag_info, strict=True)

      tag_id = tag['id']
@@ -3516,7 +3516,7 @@ 

      """Edit a tag<->external repo association

      This allows you to update the priority without removing/adding the repo."""

  

-     context.session.assertPerm('admin')

+     context.session.assertPerm('tag')

  

      tag = get_tag(tag_info, strict=True)

      tag_id = tag['id']
@@ -4782,7 +4782,7 @@ 

  

      Returns True if changes are made to the database, False otherwise.

      """

-     context.session.assertPerm('admin')

+     context.session.assertPerm('host')

  

      host = get_host(hostInfo, strict=True)

  
@@ -8848,7 +8848,7 @@ 

      '''Contains functions that are made available via XMLRPC'''

  

      def restartHosts(self, priority=5, options=None):

-         context.session.assertPerm('admin')

+         context.session.assertPerm('host')

          if options is None:

              args = []

          else:
@@ -10185,7 +10185,7 @@ 

          """

          # verify existence of tag and/or convert name to id

          tag = get_tag_id(tag, strict=True)

-         context.session.assertPerm('admin')

+         context.session.assertPerm('tag')

          return writeInheritanceData(tag, data, clear=clear)

  

      def getFullInheritance(self, tag, event=None, reverse=False, stops=None, jumps=None):
@@ -10987,7 +10987,7 @@ 

          If krb_principal is not given then that field will be generated

          from the HostPrincipalFormat setting (if available).

          """

-         context.session.assertPerm('admin')

+         context.session.assertPerm('host')

          # validate arches

          arches = " ".join(arches)

          arches = koji.parse_arches(arches, strict=True)

@@ -65,7 +65,7 @@ 

          r = self.exports.addHost('hostname', ['i386', 'x86_64'])

          self.assertEqual(r, 12)

  

-         self.context.session.assertPerm.assert_called_once_with('admin')

+         self.context.session.assertPerm.assert_called_once_with('host')

          kojihub.get_host.assert_called_once_with('hostname')

          self.context.session.createUser.assert_called_once_with('hostname',

                  usertype=koji.USERTYPES['HOST'], krb_principal='-hostname-')

@@ -37,7 +37,7 @@ 

          with self.assertRaises(koji.GenericError):

              kojihub.delete_tag('badtag')

          self.assertEqual(self.updates, [])

-         self.context.session.assertPerm.assert_called_with('admin')

+         self.context.session.assertPerm.assert_called_with('tag')

  

      def test_good_tag(self):

          self.get_tag.return_value = {'id': 'TAGID'}
@@ -50,4 +50,4 @@ 

              self.assertEqual(u.values, {'value': 'TAGID'})

              self.assertEqual(u.rawdata, {'active': 'NULL'})

              self.assertEqual(u.data, data)

-         self.context.session.assertPerm.assert_called_with('admin')

+         self.context.session.assertPerm.assert_called_with('tag')

@@ -66,7 +66,7 @@ 

          kojihub.grplist_add(tag, group)

  

          # what was called

-         self.context.session.assertPerm.assert_called_once_with('admin')

+         self.context.session.assertPerm.assert_called_once_with('tag')

          self.get_tag.assert_called_once_with(tag, strict=True)

          self.lookup_group.assert_called_once_with(group, create=True)

          self.get_tag_groups.assert_called_with('tag_id', inherit=True,
@@ -100,7 +100,7 @@ 

          self.context.session.assertPerm.side_effect = koji.GenericError

          with self.assertRaises(koji.GenericError):

              kojihub.grplist_add('tag', 'group')

-         self.context.session.assertPerm.assert_called_once_with('admin')

+         self.context.session.assertPerm.assert_called_once_with('tag')

          self.assertEqual(len(self.inserts), 0)

          self.assertEqual(len(self.updates), 0)

  
@@ -108,7 +108,7 @@ 

          self.get_tag.side_effect = koji.GenericError

          with self.assertRaises(koji.GenericError):

              kojihub.grplist_add('tag', 'group')

-         self.context.session.assertPerm.assert_called_once_with('admin')

+         self.context.session.assertPerm.assert_called_once_with('tag')

          self.assertEqual(len(self.inserts), 0)

          self.assertEqual(len(self.updates), 0)

  
@@ -125,7 +125,7 @@ 

          kojihub.grplist_block(tag, group)

  

          # what was called

-         self.context.session.assertPerm.assert_called_once_with('admin')

+         self.context.session.assertPerm.assert_called_once_with('tag')

          self.get_tag.assert_called_once_with(tag, strict=True)

          self.lookup_group.assert_called_once_with(group, create=True)

          self.get_tag_groups.assert_called_with('tag_id', inherit=True,
@@ -166,7 +166,7 @@ 

          kojihub.grplist_remove(tag, group)

  

          # what was called

-         self.context.session.assertPerm.assert_called_once_with('admin')

+         self.context.session.assertPerm.assert_called_once_with('tag')

          self.get_tag.assert_called_once_with(tag, strict=True)

          self.lookup_group.assert_called_once_with(group, strict=True)

  
@@ -192,7 +192,7 @@ 

              kojihub.grplist_unblock(tag, group)

  

          # what was called

-         self.context.session.assertPerm.assert_called_once_with('admin')

+         self.context.session.assertPerm.assert_called_once_with('tag')

          self.lookup_tag.assert_called_once_with(tag, strict=True)

          self.lookup_group.assert_called_once_with(group, strict=True)